Managing Risks and Perceptions in Everyday Organisational Cybersecurity

Authors

  • Sunitha Prabhu Curtin University

DOI:

https://doi.org/10.3127/ajis.v29.6011

Keywords:

Information security, Active risk-taking, Passive risk-taking, Perceived threat, Neutralisation

Abstract

Employee compliance is crucial for effective cybersecurity, yet the underlying psychological drivers of risky behaviours remain complex. Deliberate cybersecurity risks can arise through active behaviours (actions) or passive behaviours (inaction). Despite growing conceptual recognition of this distinction, empirical evidence remains limited. This study examines how threat perception and neutralisation differentially shape cybersecurity intentions across these two risk domains. Survey data from 490 UK employees, covering four common cybersecurity behaviours were analysed. The findings show that both perceived threat and neutralisation significantly influence intentions, but in different ways. Neutralisation more strongly predicts active risk-taking, whereas perceived threat is a stronger predictor of passive risk-taking. Moreover, passive risk-taking was reported more frequently than active risk-taking, challenging assumptions that employee-driven cybersecurity vulnerabilities primarily stem from overt policy violations. By identifying distinct psychological mechanisms underlying active and passive risk-taking, this study provides practical insights for the design of targeted cybersecurity interventions. Future studies could examine contextual factors that moderate the interplay between threat perception and neutralisation across risk domains.

References

Aigbefo, Q. A., Blount, Y., & Marrone, M. (2022). The influence of hardiness and habit on security behaviour intention. Behaviour & Information Technology, 41(6), 1151-1170. doi.org/10.1080/0144929X.2020.1856928

Ajzen, I. (1985). From intentions to actions: A theory of planned behavior. In Action control: From cognition to behaviour (pp. 11-39). Heidelberg, Germany: Springer.

Arend, I., Shabtai, A., Idan, T., Keinan, R., & Bereby-Meyer, Y. (2020). Passive- and not active-risk tendencies predict cyber security behavior. Computers & security, 101929. doi.org/10.1016/j.cose.2020.101964

Bagozzi, R. P. (2011). Measurement and meaning in information systems and organizational research: Methodological and philosophical foundations. MIS quarterly, 261-292. doi.org/10.2307/23044044

Barlow, J. B., Warkentin, M., Ormond, D., & Dennis, A. (2018). Don’t even think about it! The effects of antineutralization, informational, and normative communication on information security compliance. Journal of the Association for Information Systems, 19(8), 3

Barlow, J. B., Warkentin, M., Ormond, D., & Dennis, A. R. (2013). Don't make excuses! Discouraging neutralization to reduce it policy violation. Computers & security, 39, 145-159. doi.org/10.1016/j.cose.2013.05.006

Baron, J., & Ritov, I. (2004). Omission bias, individual differences, and normality. Organizational behavior and human decision processes, 94(2), 74-85. doi.org/10.1016/j.obhdp.2004.03.003

Becker, M. H., Drachman, R. H., & Kirscht, J. P. (1974). A new approach to explaining sick-role behavior in low-income populations. American journal of public health, 64(3), 205-216.

Carpenter, D., Young, D. K., Barrett, P., & McLeod, A. J. (2019). Refining technology threat avoidance theory. Communications of the Association for Information Systems, 44. doi.org/10.17705/1CAIS.04422

Chowdhury, N. H., Adam, M. T., & Teubner, T. (2020). Time pressure in human cybersecurity behavior: Theoretical framework and countermeasures. Computers & security, 97, 101931. doi.org/10.1016/j.cose.2020.101963

Cohen, J. (2013). Statistical power analysis for the behavioral sciences: Routledge.

DBIR. (2024). 2024 data breach investigations report. Retrieved from https://www.verizon.com/business/resources/T2bb/reports/2024-dbir-data-breach-investigations-report.pdf

Fatoki, J. G., Shen, Z., & Mora-Monge, C. A. (2024). Optimism amid risk: How non-it employees’ beliefs affect cybersecurity behavior. Computers & security, 141, 103812. doi.org/10.1016/j.cose.2024.103812

Field, A. (2024). Discovering statistics using ibm spss statistics: Sage publications limited.

Gruber, V., & Schlegelmilch, B. B. (2014). How techniques of neutralization legitimize norm-and attitude-inconsistent consumer behavior. J. of business ethics, 121, 29-45. doi.org/10.1007/s10551-013-1667-5

Honeywell. (2024). Honeywell grad usb threat report 2024. Retrieved from https://www.honeywell.com/us/en/reports/2024/usb-threat-report/usb-threat-report-download:

Hong, Y., Xu, M., & Furnell, S. (2023). Situational support and information security behavioural intention: A comparative study using conservation of resources theory. Behaviour & Information Technology, 1-17. doi.org/10.1080/0144929X.2023.2177825

Hooper, V., & Blunt, C. (2020). Factors influencing the information security behaviour of it employees. Behaviour & Information Technology, 39(8), 862-874. doi.org/10.1080/0144929X.2019.1623322

House, D., & Raja, M. (2020). Phishing: Message appraisal and the exploration of fear and self-confidence. Behaviour & Information Technology, 39(11), 1204-1224. doi.org/10.1080/0144929X.2019.1657180

Hwang, J., Lee, H., Kim, K., Zo, H., & Ciganek, A. P. (2016). Cyber neutralisation and flaming. Behaviour & Information Technology, 35(3), 210-224. doi.org/10.1080/0144929X.2015.1135191

Ifinedo, P. (2012). Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers & security, 31(1), 83-95.

Johnston, A., Di Gangi, P. M., Bélanger, F., Crossler, R. E., Siponen, M., Warkentin, M., & Singh, T. (2023). Seeking rhetorical validity in fear appeal research: An application of rhetorical theory. Computers & security, 125, 103020. doi.org/10.1016/j.cose.2022.103020

Keinan, R., & Bereby-Meyer, Y. (2012). " Leaving it to chance"--passive risk taking in everyday life. Judgment & Decision Making, 7(6). doi.org/10.1017/S1930297500003259

Kensington. (2025). Secure your device, protect your data. Retrieved from https://www.kensington.com/siteassets/solution-pages/security/2025/secure-your-device-protect-your-data_white_paper_gb-en_final_1745519661.pdf:

Li, Y., Zhang, N., & Siponen, M. (2019). Keeping secure to the end: A long-term perspective to understand employees’ consequence-delayed information security violation. Behaviour & Information Technology, 38(5), 435-453. doi.org/10.1080/0144929X.2018.1539519

Liang, H., & Xue, Y. (2009). Avoidance of information technology threats: A theoretical perspective. MIS quarterly, 71-90. doi.org/10.2307/20650279

Maruna, S., & Copes, H. (2005). What have we learned from five decades of neutralization research? Crime and justice, 32, 221-320. doi: http://www.jstor.org/stable/3488361

Moody, G. D., Siponen, M., & Pahnila, S. (2018). Toward a unified model of information security policy compliance. MIS quarterly, 42(1). doi.org/10.25300/MISQ/2018/13853

Netskcope. (2025). Cloud and threat report. Retrieved from https://www.netskope.com/resources/cloud-and-threat-reports/cloud-and-threat-report-2025:

Neves, C., Oliveira, T., Cruz-Jesus, F., & Venkatesh, V. (2025). Extending the unified theory of acceptance and use of technology for sustainable technologies context. International journal of information management, 80, 102838. doi.org/10.1016/j.ijinfomgt.2024.102838

NIST. (2024). The nist cybersecurity framework (csf) 2.0. Retrieved from https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf

Ogbanufe, O., Crossler, R. E., & Biros, D. (2021). Exploring stewardship: A precursor to voluntary security behaviors. Computers & security, 102397. doi.org/10.1016/j.cose.2021.102397

Ogbanufe, O., Crossler, R. E., & Biros, D. (2023). The valued coexistence of protection motivation and stewardship in information security behaviors. Computers & security, 124, 102960. doi.org/10.1016/j.cose.2022.102960

Padayachee, K. (2015). An insider threat neutralisation mitigation model predicated on cognitive dissonance (itnmcd). South African Computer Journal, 56(1), 50-79. https://hdl.handle.net/10520/EJC173454

Padayachee, K. (2024). An exploration of dark and light triad personality traits towards situational crime prevention and compliant information security behaviour. Information & Computer Security. doi.org/10.1108/ICS-04-2023-0069

Prabhu, S., & Dell, P. (2025a). The nexus between sanctions and neutralization in information security. Paper presented at the 58th Hawaii International Conference on System Sciences.

Prabhu, S., & Dell, P. (2025b). A structured review of insider cybersecurity behaviour studies. Information Security Journal: A Global Perspective, 34(6) doi.org/10.1080/19393555.2025.2543458

Prabhu, S., Kocsis, D., & Lew, T. Y. (2025). Beyond the direct impact of sanctions and subjective norms in cybersecurity. Information & Computer Security. doi.org/10.1108/ICS-04-2025-0148

Prabhu, S., & Thompson, N. (2020). A unified classification model of insider threats to information security. Paper presented at the ACIS 2020 Proceedings.

ProofPoint. (2023). Cybersecurity: The 2023 board perspective. Retrieved from https://www.proofpoint.com/sites/default/files/white-papers/pfpt-us-wp-board-perspective-report.pdf

Rajab, M., & Eydgahi, A. (2019). Evaluating the explanatory power of theoretical frameworks on intention to comply with information security policies in higher education. Computers & security, 80, 211-223. doi.org/10.1016/j.cose.2018.09.016

Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude change1. The journal of psychology, 91(1), 93-114.

Rogers, R. W. (1983). Cognitive and pshysiological processes in fear appeals and attitude change: A revised theory of protection motivation. New York.

Samuelson, W., & Zeckhauser, R. (1988). Status quo bias in decision making. Journal of risk and uncertainty, 1, 7-59.

Siponen, M., & Vance, A. (2010). Neutralization: New insights into the problem of employee information systems security policy violations. MIS quarterly, 487-502. doi.org/10.2307/25750688

Sykes, G. M., & Matza, D. (1957). Techniques of neutralization: A theory of delinquency. American sociological review, 22(6), 664-670.

TOI. (2025). 19 billion-plus passwords leaked online: Here are the most common ones. Times of India Retrieved from https://timesofindia.indiatimes.com/technology/tech-news/19-billion-plus-passwords-leaked-online-here-are-the-most-common-ones/articleshow/120922025.cms?

Tykocinski, O. E., & Pittman, T. S. (1998). The consequences of doing nothing: Inaction inertia as avoidance of anticipated counterfactual regret. Journal of personality and Social Psychology, 75(3), 607. doi.org/10.1037/0022-3514.75.3.607

Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating is security compliance: Insights from habit and protection motivation theory. Information & management, 49(3-4), 190-198. doi.org/10.1016/j.im.2012.04.002

Vance, A., Siponen, M. T., & Straub, D. W. (2020). Effects of sanctions, moral beliefs, and neutralization on information security policy violations across cultures. Information & management, 57(4), 103212. doi.org/10.1016/j.im.2019.103212

Vedadi, A., Warkentin, M., & Dennis, A. (2021). Herd behavior in information security decision making. Information & management, 103526. doi.org/10.1016/j.im.2021.103526

Verplanken, B., & Aarts, H. (1999). Habit, attitude, and planned behaviour: Is habit an empty construct or an interesting case of goal-directed automaticity? European review of social psychology, 10(1), 101-134. doi.org/10.1080/14792779943000035

Wilcoxon, F. (1992). Individual comparisons by ranking methods. In Breakthroughs in statistics: Methodology and distribution (pp. 196-202): Springer.

Willison, R., Warkentin, M., & Johnston, A. C. (2018). Examining employee computer abuse intentions: Insights from justice, deterrence and neutralization perspectives. Information systems journal, 28(2), 266-293. doi.org/10.1111/isj.12129

Xin, T., Siponen, M., & Chen, S. (2021). Understanding the inward emotion-focused coping strategies of individual users in response to mobile malware threats. Behaviour & Information Technology, 1-25. doi.org/10.1080/0144929X.2021.1954242

Downloads

Published

2025-12-28

How to Cite

Prabhu, S. (2025). Managing Risks and Perceptions in Everyday Organisational Cybersecurity . Australasian Journal of Information Systems, 29. https://doi.org/10.3127/ajis.v29.6011

Issue

Vol. 29 (2025)

Section

Research Articles

License

Copyright (c) 2025 Sunitha Prabhu

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.

AJIS publishes open-access articles distributed under the terms of a Creative Commons Non-Commercial and Attribution License which permits non-commercial use, distribution, and reproduction in any medium, provided the original author and AJIS are credited. All other rights including granting permissions beyond those in the above license remain the property of the author(s).